Security design scheme of third party application obtaining data

In the actual business, it is inevitable to interact and transfer data with the third-party system, so how to ensure the security of data in the transmission process (anti stealing)? In addition to the https protocol, can we add a general set of algorithms and specifications to ensure the security of transmission?

Now let's discuss some common security methods of API design, which may not be the best and have more powerful implementation methods, but this is my own experience sharing

1, About token

Token: access token, which is used in the interface to identify the identity and credentials of the interface caller and reduce the number of user name and password transfers. In general, the client (interface caller) needs to apply for an interface calling account from the server first. The server will give an appId and a key, which are used for parameter signature. Note that the key is saved to the client, and some security processing needs to be done to prevent leakage.

The value of token is generally UUID. After the server generates token, it needs to take token as key and save some information associated with token as value to the cache server (redis). When a request comes, the server will go to the cache server to check whether the token exists. If it exists, the interface will be called. There is no return interface error. It is usually implemented by interceptor or filter , tokens are divided into two types:

API token (interface token): used to access interfaces that do not require user login, such as login, registration, some basic data acquisition, etc. To obtain the interface token, you need to replace appId, timestamp and sign, sign = encrypt (timestamp+key)

User token: used to access the interface after user login, such as: get my basic information, save, modify, delete, etc. To obtain a user token, you need to change the user name and password

About the timeliness of Token: token can be one-time or effective in a period of time. The specific use depends on the business needs.

In general, the interface is better to use https protocol. If http protocol is used, the Token mechanism is just to reduce the possibility of being hacked. In fact, it can only prevent gentlemen from being villains.

Generally, three parameters, token, timestamp and sign, will be passed as parameters in the interface at the same time. Each parameter has its own purpose.

2, Introduction to timestamp

Timestamp: timestamp, which is the current timestamp when the client calls the interface. The timestamp is used to prevent DoS attacks.

When the hacker hijacks the url of the request to DOS attack, each time the interface is called, the interface will judge the difference between the current system time of the server and the timestamp passed in the interface. If the difference exceeds a certain set time (if it is 5 minutes), the request will be blocked. If it is within the set timeout range, DoS attack cannot be prevented. Timestamp mechanism can only reduce the time of DoS attack and shorten the attack time. If the hacker modifies the value of the time stamp, it can be handled through the sign signature mechanism.

DoS

DOS is the abbreviation of Denial of Service, that is, Denial of Service. The attack of DOS is called DoS attack, which aims to make computers or networks unable to provide normal services. The most common DoS attacks are network bandwidth attacks and connectivity attacks.

DoS attack refers to the intentional attack on the defect of network protocol implementation or the brutal exhaustion of the resources of the attacked object directly through barbaric means. The purpose is to make the target computer or network unable to provide normal services or resource access, so that the service system of the target system stops responding or even collapses, but this attack does not include the invasion of the target server or the target network equipment. These service resources include network bandwidth, file system space capacity, open processes or allowed connections. This kind of attack will lead to the lack of resources. No matter how fast the computer processes, how large the memory capacity and how fast the network bandwidth are, the consequences of this attack cannot be avoided.

Pingflood: this attack sends a large number of ping packets to the destination host in a short time, resulting in network congestion or host resource exhaustion.

Synflood: this attack sends SYN packets to the destination host with multiple random source host addresses, but does not respond after receiving the SYN ACK of the destination host. In this way, the destination host establishes a large number of connection queues for these source hosts. Moreover, because no ACK has been received, these queues are maintained all the time, resulting in a large consumption of resources and unable to provide services to normal requests.

Smurf: the attack sends a packet with a specific request (such as ICMP response request) to the broadcast address of a subnet, and disguises the source address as the host address to be attacked. All hosts on the subnet respond to the broadcast packet request and send the packet to the attacked host, which makes the host be attacked.

Land based: the attacker sets the source address and destination address of a packet as the address of the target host, and then sends the packet to the attacked host through IP spoofing. This packet can cause the attacked host to fall into a dead cycle due to trying to establish a connection with itself, thus greatly reducing the system performance.

Ping of Death: according to the specification of TCP/IP, the maximum length of a packet is 65536 bytes. Although the length of a packet cannot exceed 65536 bytes, the stack of multiple fragments of a packet can be achieved. When a host receives a packet with a length greater than 65536 bytes, it is attacked by Ping of Death, which will cause the host to shut down.

Teardrop: when IP packets are transmitted over the network, they can be divided into smaller segments. An attacker can implement a teardrop attack by sending two (or more) packets. The offset of the first packet is 0, the length is N, and the offset of the second packet is less than N. In order to merge these data segments, the TCP/IP stack will allocate extraordinary huge resources, resulting in the lack of system resources and even the restart of the machine.

PingSweep: polling multiple hosts using ICMP Echo.

3, About sign

nonce: random value is the value generated randomly by the client. It is passed as a parameter. The purpose of random value is to increase the variability of sign signature. Random value is generally a combination of numbers and letters, with 6-digit length. There is no fixed rule for the composition and length of random value.

Sign: it is generally used for parameter signature to prevent illegal tampering of parameters. The most common is to modify important sensitive parameters such as amount, Generally, the value of sign is to sort all non empty parameters according to the ascending sequence, then + token + key + timestamp + nonce (random number) is spliced together, and then some encryption algorithm is used for encryption, which is passed as a parameter sign in the interface, or put the sign in the request header.

In the process of network transmission, if the interface is hijacked by the hacker, and the parameter value is modified, and then the interface is called again. Although the parameter value is modified, the hacker does not know how the sign is calculated, what the value of the sign is made up of, what the sequence is spliced together, and the most important thing is that he does not know what the key in the signature string is , so the hacker can tamper with the value of the parameter, but can't modify the value of the sign. Before the server calls the interface, it will recalculate the value of the sign according to the rules of the sign, and then compare it with the value of the sign parameter passed by the interface. If it is equal, it means that the parameter value has not been tampered with. If it is unequal, it means that the parameter has been tampered with illegally, and the interface will not be executed.

4, Prevent duplicate submissions

For some important operations that need to prevent the client from repeatedly submitting (such as non idempotent important operations), the specific method is to save the sign as the key to redis when the request is submitted for the first time, and set the timeout, which is the same as the difference set in Timestamp.

When the same request is accessed for the second time, it will first check whether the sign exists in redis. If it exists, it will prove that the sign is repeatedly submitted, and the interface will no longer be called. If the sign is deleted in the cache server because the expiration time is up, then when the URL requests the server again, because the expiration time of the token and the expiration time of the sign are the same, the sign expiration also means that the token expires, so the same URL revisit server will be blocked because of the token error, which is why the expiration time of the sign and the token should be consistent . The mechanism of rejecting repeated calls ensures that URLs are intercepted by others and cannot be used (such as fetching data).

For which interfaces need to prevent duplicate submission, you can customize comments to mark.

Note: when all the security measures are used, sometimes they are too complex. In actual projects, they need to be tailored according to their own situations. For example, you can only use the signature mechanism to ensure that the information will not be tampered with, or you can only use the Token mechanism to provide services. How to cut it depends on the actual situation of the project and the requirements for interface security.

Five. Use process

1. The interface caller (client) applies to the interface provider (server) for the interface calling account. After the application is successful, the interface provider will give the interface caller an appId and a key parameter

3. The client takes the api_token to access the interface that can be accessed without login

4. When accessing the interface that users need to log in, the client will jump to the login page and call the login interface through user name and password. The login interface will return a usertoken, and the client will take the usertoken to access the interface that needs to be logged in

The function of sign is to prevent parameters from being tampered with. When the client calls the server, it needs to pass the sign parameter. When the server responds to the client, it can also return a sign to verify whether the returned value has been tampered with illegally. The sign algorithm passed by the client and the sign algorithm responded by the server may be different.

ThreadLocal is the global context within a thread. It is the memory shared between methods in a single thread. Each method can get and modify values from the context.

Actual case:

When the api is called, a token parameter will be passed. Usually, an interceptor will be written to verify whether the token is legal. We can find the corresponding user information (User) through the token. If the token is legal, then the user information will be stored in ThreadLocal, so that the information of the user can be accessed at any layer of the controller, service and dao. It acts like a request scope in the Web.

In the traditional way, if we want to access a variable in a method, we can pass a parameter to the method in the form of a parameter. If multiple methods are to be used, then each method needs to pass a parameter. If we use ThreadLocal, all methods do not need to pass a parameter. Each method can access the value through ThreadLocal.

Summary: This is some commonly used parameters and use examples in the interaction process of the third-party data interface, hoping to help you a little.

Of course, in order to ensure more security, RSA,RSA2, AES and other encryption methods can be added to ensure more security of data, but the only disadvantage is that encryption and decryption consume CPU resources.